Scaling Security in Software Development: The Art of Possible

Scaling Security in Software Development: The Art of Possible

Have you heard about the shortage of cybersecurity skills? It’s likely you have, as it’s hard to miss the headlines. According to Cybersecurity Magazine, “there will be 3.5 million unfilled cybersecurity jobs globally by 2021.” Let’s unpack this a bit. What is cybersecurity, apart from being a buzzword overused by some and hated by others? It is a wide collection of loosely related domains — offensive and defensive, deeply technical and policy-related, preventive and corrective.

If we look under the hood of skills shortage, will we find that some domains are harder hit than others? Inevitably so. Software development is one of the areas most starved of security attention. Even though it is a known fact that vulnerable applications are one of the easiest routes for attackers, somehow the industry still gets away with the idea of security as an optional add-on rather than a basic requirement for an acceptable application.

Know Your Options

What are the options for an organization that does not want to contribute to the sad statistics and wants to take security in software development seriously? The range of options runs from training everyone in application security to an adequate degree to setting up a team of full-time security specialists that will somehow support the rest of the development organization. Let’s take a closer look.

The first option, often described as “security is everybody’s job,” is a noble aspiration. Is it realistic for most organizations, though? Even with significant initial investment in training and some ways to maintain and update the skills, the ethos of security will inevitably become diluted with new hires and mostly with the othe ..